This is still an issue with: - OSSEC HIDS v3.6.0 - Docker version 19.03.6, build 369ce74a3c - Ubuntu 18.04 amd-64 4.15.0-91-generic
OSSEC HIDS Notification. 2020 Mar 30 16:07:38 Received From: 1043003-app1->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Files hidden inside directory '/var/lib/docker/overlay2/be359.../merged/var/lib/dpkg/alternatives'. Link count does not match number of files (2,1). I found the following which may be helpful: https://github.com/ossec/ossec-hids/issues/1528 Is it "fixed" in wazuh? Is that the right fix? https://github.com/wazuh/wazuh/issues/561 https://github.com/docker/hub-feedback/issues/1228 https://forums.docker.com/t/some-way-to-clean-up-identify-contents-of-var-lib-docker-overlay/30604/21 On Thursday, February 15, 2018 at 7:19:07 AM UTC-5, dan (ddpbsd) wrote: > > On Sun, Feb 4, 2018 at 11:33 PM, <gon...@seagroup.com <javascript:>> > wrote: > > > > Hi all , > > > > i came cross this issue: > > Files hidden inside directory > '/var/lib/docker/overlay2/xxxxxxxxxxxxx/merged/root/go/src'. Link count > does not match number of files (4,1). > > in many servers. However, when i checked ossec configuration file in > those servers, there are no /var/lib/docker/overlay2 directory wrote in > configuration file. > > > > > > > > > > > > what i guess, since one of those server cluster, i need to monitory fire > integrity of this server under /var/lib/docker/overlay2/xxxxxxxxxxxxx. > However the file name is to complicated, so what i did is i generated > number to link to those complicated directory. I am not really sure , is > this a problem cause my above alert come out in other servers. (PS: those > servers connect to same ossec manager server.) > > > > > > This is a rootcheck alert, not syscheck. I know rootcheck has some > issues with these overlay filesystems, but I haven't really gotten a > chance to look into it to see what can be done. > > > > > thank you for helping guys. urgent now > > > > > > > > best regards, > > > > kaiwen > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/db093ef1-4a3a-46df-8ee4-538d56dc9482%40googlegroups.com.
